WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3751 | Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress | 41 | 27 | 168 | 2k+ | Request data is not unslashed | ||
| #3752 | tarteaucitron.io | 41 | 44 | 92 | 10k+ | Output is not escaped | ||
| #3753 | Taxonomy Converter | 41 | 54 | 24 | 500 | Output is not escaped | ||
| #3754 | Taxonomy Filter | 41 | 143 | 40 | 800 | Output is not escaped | ||
| #3755 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #3756 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #3757 | Theme Blvd Importer | 41 | 25 | 58 | 500 | Missing nonce verification | ||
| #3758 | Theme Duplicator | 41 | 14 | 31 | 400 | Nonce verification recommended | ||
| #3759 | Threat Scan Plugin | 41 | 29 | 17 | 400 | Output is not escaped | ||
| #3760 | Advanced Editor Tools | 41 | 143 | 84 | 1m+ | Unsafe printing function | ||
| #3761 | TW Pagination | 41 | 90 | 23 | 1k+ | Non Singular String Literal Domain | ||
| #3762 | Unbloater | 41 | 57 | 18 | 5k+ | Output is not escaped | ||
| #3763 | Usersnap | 41 | 37 | 17 | 500 | Output is not escaped | ||
| #3764 | Visibility Logic for Elementor | 41 | 27 | 43 | 30k+ | Output is not escaped | ||
| #3765 | fancyBox 3 for WordPress | 41 | 72 | 11 | 1k+ | Output is not escaped | ||
| #3766 | Waka Bulk Page | 41 | 52 | 16 | 1k+ | Unsafe printing function | ||
| #3767 | WaveSurfer-WP | 41 | 83 | 22 | 400 | Unsafe printing function | ||
| #3768 | Abandoned Cart Recovery for WooCommerce | 41 | 20 | 202 | 4k+ | Request data is not unslashed | ||
| #3769 | Checkout Field Editor (Checkout Manager) for WooCommerce | 41 | 9 | 88 | 400k+ | Nonce verification recommended | ||
| #3770 | Top Image SEO | 41 | 115 | 26 | 5k+ | Unsafe printing function | ||
| #3771 | M-Pesa(Kenya) Checkout for Woocommerce | 41 | 46 | 38 | 1k+ | Text Domain Mismatch | ||
| #3772 | WPC Product Bundles for WooCommerce | 41 | 21 | 93 | 30k+ | Missing nonce verification | ||
| #3773 | Country Based Restrictions for WooCommerce | 41 | 27 | 67 | 5k+ | Request data is not unslashed | ||
| #3774 | Quick View For WooCommerce | 41 | 44 | 44 | 1k+ | Output is not escaped | ||
| #3775 | WooCommerce Colors | 41 | 63 | 28 | 10k+ | Output is not escaped | ||
| #3776 | Pay for Payment for WooCommerce | 41 | 29 | 67 | 10k+ | Missing nonce verification | ||
| #3777 | Spam Protect for Contact Form 7 | 41 | 16 | 61 | 10k+ | Request data is not unslashed | ||
| #3778 | WP Crontrol | 41 | 20 | 91 | 300k+ | Nonce verification recommended | ||
| #3779 | WP Extended Search | 41 | 159 | 37 | 20k+ | Output is not escaped | ||
| #3780 | Regions for WP Job Manager | 41 | 29 | 55 | 7k+ | Nonce verification recommended | ||
| #3781 | WP Lorem ipsum | 41 | 37 | 29 | 500 | Unsafe printing function | ||
| #3782 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #3783 | Pledged Plugins PCI Gateway for NMI and WooCommerce | 41 | 160 | 42 | 2k+ | Text Domain Mismatch | ||
| #3784 | WP Router | 41 | 29 | 13 | 800 | Exception output is not escaped | ||
| #3785 | WP Test Email | 41 | 32 | 28 | 20k+ | Unsafe printing function | ||
| #3786 | User Login Notifier for WordPress | 41 | 72 | 26 | 1k+ | Output is not escaped | ||
| #3787 | WPC Composite Products for WooCommerce | 41 | 11 | 73 | 9k+ | Missing nonce verification | ||
| #3788 | WPS Hide Login | 41 | 34 | 72 | 2m+ | Nonce verification recommended | ||
| #3789 | Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets | 41 | 45 | 35 | 700 | Output is not escaped | ||
| #3790 | Simple Accessibility Button | 41 | 33 | 171 | 900 | Non-prefixed global variable | ||
| #3791 | Z-Credit Checkout – WooCommerce Payment Gateway | 41 | 151 | 22 | 900 | Text Domain Mismatch | ||
| #3792 | Zilla Portfolio | 41 | 139 | 15 | 400 | Text Domain Mismatch | ||
| #3793 | Pricing Table – Responsive & Easy | 42 | 117 | 148 | 3k+ | Non-prefixed global variable | ||
| #3794 | ActiveTrail – Contact Form 7 | 42 | 18 | 85 | 600 | Missing nonce verification | ||
| #3795 | Add to Home Screen & Progressive Web App | 42 | 23 | 68 | 1k+ | Request data is not unslashed | ||
| #3796 | Admin Options Pages | 42 | 3 | 284 | 500 | Nonce verification recommended | ||
| #3797 | Affiliate Link Tracker | 42 | 24 | 49 | 500 | Request data is not unslashed | ||
| #3798 | Agoda Affiliate Partners Text Link Generator | 42 | 4 | 40 | 500 | Interpolated SQL is not prepared | ||
| #3799 | Post Grid Master — Post Grids & AJAX Filters | 42 | 44 | 115 | 1k+ | Non-prefixed global variable | ||
| #3800 | Open Currency Converter | 42 | 59 | 19 | 1k+ | Unsafe printing function |